CVE-2025-11521

High

Published: 11 November 2025

Published

11 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 52.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

The Astra Security Suite – Firewall & Malware Scan plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key in all versions up to, and including,…

0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the insufficient validation of remote URLs for zip downloads that enables arbitrary file uploads.

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and remediation of the plugin flaw to eliminate the vulnerability.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection at entry points to detect and block arbitrary malicious files uploaded via the vulnerability.

Security SummaryAI

CVE-2025-11521 is an arbitrary file upload vulnerability in the Astra Security Suite – Firewall & Malware Scan plugin for WordPress, affecting all versions up to and including 0.2. The flaw arises from insufficient validation of remote URLs used for zip downloads combined with an easily guessable key, enabling attackers to place arbitrary files on the server. Published on 2025-11-11, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-285 (Improper Authorization).

Unauthenticated attackers can exploit this vulnerability remotely with high attack complexity but no privileges or user interaction needed. By leveraging the weak validation and guessable key, they can upload arbitrary files to the WordPress site's server, which may result in remote code execution depending on the file type and server configuration.

Mitigation details and patch information are available in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/f99a6b5c-e95d-49d0-a4b2-1d7188447da1?source=cve and the plugin page at https://wordpress.org/plugins/getastra/. Security practitioners should review these sources for updates and remediation steps.

Details

CWE(s): CWE-285

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthenticated arbitrary file uploads through a public-facing WordPress plugin, directly facilitating T1190: Exploit Public-Facing Application, potentially leading to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://wordpress.org/plugins/getastra/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/f99a6b5c-e95d-49d0-a4b2-1d7188447da1?source=cve
security@wordfence.com